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Abstract 

Given any collection J- of computable functions over the reals, we 
show that there exists an algorithm that, given any >Cjr-sentence Lp 
containing only bounded quantifiers, and any positive rational number 
(5, decides either "93 is true", or "a (5-strengthening of is false'". Un- 
der mild assumptions, for a C-computable signature the (5-decision 
problem for bounded Efe-sentences in Ljr resides in (51^) . The results 
stand in sharp contrast to the well-known undecidability results, and 
serve as a theoretical basis for the use of numerical methods in decision 
procedures for nonlinear first-order theories over the reals. 



1 Introduction 

Tarski's celebrated result |24J that the first-order theory of real arithmetic 
is decidable has had a profound impact on automated theorem proving, 
and has generated much attention in application domains such as formal 
verification, control theory, and robotics [21]. The hope is that practical 
problems can be encoded as first-order formulas and automatically solved 
by decision procedures for the theory. However, in spite of extensive re- 
search in optimizing the decision algorithms [7], there is still a wide gap 
between the state-of-the-art and the majority of problems in practice. One 
reason is the procedures' high computational complexity: general quantifier 
elimination, even restricted to a linear signature, has a doubly exponential 
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lower-bound [5]. A more fundamental problem is the lack of expressiveness: 
many problems in the intended domains of application cannot even be ex- 
pressed in the language of real-closed fields. For instance, Hales' Flyspeck 
project \15\ 116] . which is working on a formal verification of his proof of 
the Kepler conjecture, requires checking thousands of nonlinear inequalities. 
The following is typical: 



where ai{x) are all quadratic functions and A(x) is the determinant of a 
nonlinear matrix. Problems from formal verification and control design can 
appear all the more challenging because of the use of differential equations, 
alternating quantifiers, as well as their sheer scale. It is well known that 
even the set of Si sentences in a language extending real arithmetic with 
the sine function is already undecidable. This seems to indicate that devel- 
oping general logic-based automated methods in these domains is at its core 
impossible. Our goal in this paper is to show that a slight change of per- 
spective provides a completely different, and much more positive, outlook. 

It is important to note that the theoretical negative results only refer 
to the problem of deciding logic formulas symbolically and precisely. In 
this setting, the numerical computability of real functions remains mostly 
unexploited. This hardly reflects the wide range of solving techniques in 
practice. For instance, in the Flyspeck project, the nonlinear formulas 
are proved using various numerical optimization techniques, including lin- 
ear programming, interval analysis, and Bernstein approximations. In the 
fleld of formal veriflcation of real-time systems, a recent trend in developing 
decision solvers that incorporate numerical methods has also proved very 
promising [101 [H [T3l lllj . It is natural to ask whether such practices can 
be theoretically justified in the context of decision problems for first-order 
theories. Namely, can we give a characterization of the first-order formulas 
that can be solved using numerically-driven procedures, and if so, bound 
the complexity of these procedures? Can we formulate a framework for 
understanding the guarantees that numerically-driven decision procedures 
can provide? Can we provide general conditions under which a practical 
verification problem has a satisfactory solution? We answer these questions 
affirmatively. The key is to shift to a (5-relaxed notion of correctness, which 
is more closely aligned with the use of numerical procedures. 
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An informal description of what we can show is as follows. In a very 
general signature that contains all the aforementioned real functions, there 
exists an algorithm such that given an arbitrary sentence (p involving only 
bounded quantifiers, and an arbitrary small numerical parameter 5, one of 
the following decisions is returned: 

• is true; 

• The "(^-strengthening" of ip is false. 

The (^-strengthening of a formula, defined below, is a numerical perturbation 
which makes it slightly harder for the formula to be true. For example, the 
strengthening of 3a; G /. a; > 0, where / is the bound on the quantifier, is 

^ I. X > 5. Thus the algorithm reports either that the given formula 
is true, or that some small perturbation makes it false. These two cases 
are not mutually exclusive, and in the "grey area" where both cases hold 
the algorithm is allowed to return either value. We refer to this problem (as 
well as the dual problem defined below using the (5-weakening of formulas) as 
the "(5-relaxed decision problem," or simply the "(5-decision problem." The 
restriction to bounded quantifiers is reasonable, since in practical problems 
real-valued variables are typically considered within some range. 

Here is another way of thinking about our main result. Given a small 
(5, we can consider the set of first-order sentences with the property that 
their truth values remain invariant under (5-strengthening (or (5- weakening) . 
Such sentences can be called "(5-robust," in that they do not fall into the 
"grey area" mentioned in the last paragraph. We believe that, in situations 
like the Flyspcck project where numerical methods are used, it is implicitly 
assumed that the relevant assertions have this property. Our algorithm, 
in particular, decides the truth of bounded (^-robust sentences in a general 
signature. 

Moreover, wc show that the (5-dccision problems reside in reasonable com- 
plexity classes. For instance, if the signature is given by extending arithmetic 
with exp and sin, the (5-decision problem for bounded Si-sentences is "only" 
NP-complete. This should be compared with the undecidability of sentences 
in this class in the ordinary setting. As another example, the (J-decision prob- 
lem for arbitrarily-quantified bounded sentences with Lipschitz-continuous 
ordinary differential equations is PSPACE-complete. The fact that this com- 
plexity is not higher than that of deciding quantified Boolean formulas is 
striking. 

We find this relaxed decision problem particularly suitable for various 
practical problems. One example is formal verification of real-time systems. 
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With bounded model checking techniques [6], the safety property of a system 
can be expressed as a first-order sentence. When such a sentence is true, 
we conclude that the system is safe. Thus, by switching to answering the 
5-decision problem, we have the following guarantees. When our algorithm 
returns that the input sentence is true, we know that the system is indeed 
safe; otherwise, we know that a (5-strengthening of the sentence is false, 
which means that under some numerical perturbations, controllable by S, 
the system would become unsafe. 

The "general signature" we mentioned above refer to arbitrary Type 
2 computable functions |25) . We now formally state our results. Let J-' 
be any collection of Type 2 computable real functions. First, there exists 
an algorithm such that given any £jr-sentence containing only bounded 
quantifiers, and any positive rational number 5, decides the (5-relaxed de- 
cision problem. Secondly, suppose all the functions in T are in a Type 
2 complexity class C (closed under polynomial-time reduction), then the 5- 
relaxed decision problem for S„-sentences in Cjr resides in (Z^)*^. Moreover, 
the relaxations are necessary. Without either boundedness or 5-relaxation, 
the general problem would remain undecidable. 

Related Work Our results are situated with respect to a sizable body of 
previous work. Ratschan's work [22] provided a first study of the effect of 
numerical perturbations on first-order sentences with continuous functions, 
where he focused on formulating conditions under which a formula is "stable 
under perturbations" . We prove as a side note that robustness in our defini- 
tion is undecidable in any undecidable theory (and decidable in a decidable 
theory). In Franek, Ratschan, and Zgliczynski's most recent joint work [8], 
it is proved that satisfiability of equations with real-analytic functions over 
compact domains is quasi-decidable (this notion allows the non-termination 
on non-robust formulas, which we do not). Despite differences in defini- 
tions, this in essence agrees with our result restricted to Si-sentences of the 
corresponding signature, which is a strict subset of Type 2 computable real 
functions (Type 2 computable functions can be nowhere differentiable) . The 
quantified cases and complexity were left open in [8]. There is a line of work 
studying the notion of robustness in automata theory O |9l |2] , where posi- 
tive effects on computability of allowing numerical errors are also observed. 
In computational complexity theory, extensive research has been devoted 
to how relaxations or approximations affect complexity. The notions are 
mainly studied with probabilistic setting. It would be interesting to un- 
derstand its relation to the numerical perturbations we consider. All the 
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mentioned works agree in the direction of formalizing conditions to explain 
effects of approximations and relaxations in practical approaches to hard 
problems. We believe our result is the first to prove the decidability and 
complexity results in the general setting of arbitrary first-order theories of 
computable real functions. 

The paper is organized as follows. We review the basic properties of 
computable functions in Section [2l We define the decision problem and 
state the main theorems in Section [3l [H and \5\ and prove the main theorem 
in Section [6l We then prove complexity results and show that the conditions 
are necessary for decidability in Section [7] and [51 We discuss applications 
and practical issues in Section [H and conclude in Section [lOl 

2 Preliminaries 

2.1 Computable Analysis 

Given a finite alphabet S, let S* denote the set of finite strings and T,'^ the 
set of infinite strings generated by S. For any si,S2 S S*, (si,S2) denotes 
their concatenation. An integer z G Z used as a string over {0, 1} has its 
conventional binary representation. The set of dyadic rational numbers is 
D = {m/2" : m G Z,n G N}. 

A (set-) oracle Turing machine M extends an ordinary Turing machine 
with a special read/write tape called the oracle tape, and three special states 
Qquery, Qyes, Qno- To execute M, we Specify an oracle language O C {0, 1}* in 
addition to the input x. Whenever M enters the state Qquery, it queries the 
oracle O with the string s on the oracle tape. If s G O, then M enters the 
state Qyes, otherwise it enters qno- Regardless of the choice of O, a member- 
ship query to O counts only as a single computation step. A function- oracle 
Turing machine is defined similarly except that when the machine enters 
the query state the oracle (given by a function / : {0, 1}* — )• {0, 1}*) will 
erase the string s on the query tape and write down f{s). Note that such 
a machine must take steps to read the output from the query tape. 

We write M^{x) (resp. M-^(x)) to denote the output of M on input x with 
oracle O (resp. /). 

Computations over Infinite Strings Standard computability theory 
studies operations over finite strings and does not consider real-valued func- 
tions. Real numbers can be encoded as infinite strings, and a theory of 
computability of real functions can be developed with oracle machines that 
perform operations using function-oracles encoding real numbers. This is the 
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approach developed in Computable Analysis, a.k.a., Type 2 Computability. 
We will briefly review definitions and results of importance to us. Details 
can be found in the standard references [251 13 H]- 

Definition 2.1 (Names). A name of a G M is defined as a function 'ja : 
N — 7- B satisfying 

Vi EN,|7a(i) -a| < 2-\ 

ForaGM", = (7aiW,...,7a„W)- 

Thus the name of a real number is a sequence of dyadic rational numbers 
converging to it. For a E M", we write r(a) = {7 : 7 is a name of a}. Noting 
that names are discrete functions, we can define 

Definition 2.2 (Computable Reals). A real number a € M is computable if 
it has a name 7^ that is a computable function. 

A real function / is computable if there is a function-oracle Turing ma- 
chine that can take any argument x of / as a function oracle, and output 
the value of f{x) up to an arbitrary precision. 

Definition 2.3 (Computable Functions). We say / :C M" — M is com- 
putable if there exists a function- oracle Turing machine Mf, outputting 
dyadic rationals, such that: 

Vx G dom(/) V7^ G r(f) Vi G N. \Mf(i) - f{x)\ < 2''. 

In the definition, i specifies the desired error bound on the output of 
Mf with respect to f{x). For any x £ dom(/), Mf has access to an oracle 
encoding the name 7^ of x, and output a 2~*-approximation of f{x). In 
other words, the sequence 

M/-^(l),M/-^(2),... 

is a name of f{x). Intuitively, / is computable if an arbitrarily good ap- 
proximation of f{x) can be obtained using any good enough approximation 
to any x G dom(/). 

Most common continuous real functions are computable |25j . Addi- 
tion, multiplication, absolute value, min, max, exp, sin and solutions of 
Lipschitz-continuous ordinary differential equations are all computable func- 
tions. Compositions of computable functions are computable. 

A key property of the above notion of computability is that computable 
functions over reals must be continuous. 
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Theorem 2.4 (|25]). Any computable function f :C M" — >■ M zs (pointwise) 
continuous. 

Moreover, over any compact set D C M", computable functions are uni- 
form continuous with a computable modulus of continuity, defined as fohows. 

Definition 2.5 (Uniform Modulus of Continuity). Let / :C — ^ R 6e a 

function and D C dom(/) a compact set. The function mj : N — t- N is called 
a uniform modulus of continuity of f on D if\/x,y £ D,\/i £ N, 

\\x-y\\ < 2-™/« implies \f{x)-f{y)\ < 2"*. 

Theorem 2.6 (p5]). Let f :C M" R be a computable function and 
D C dom(/) a compact set. Then f has a computable uniform modulus of 
continuity over D. 

Intuitively, if a function has a computable uniform modulus of continu- 
ity, then fixing any desired error bound 2~* on the output, we can compute 
a global precision 2~"^f^^^ on the inputs from D such that using any 2"*"^^*)- 
approximation of any x £ D, f{x) can be computed within the error bound. 
This suggests the following characterization theorem for computable func- 
tions over compact domains: 

Theorem 2.7 ([IE]). A real function f : [0, 1]" — )• M is computable, iff there 
exists two computable functions : N — )• N and Of : (B Pi [0, 1])" x N — )■ D 
such that 

• nif is a uniform modulus function for f over [0, 1]", and 

• for all d G (Dn [0,1])" and all i £ N, \e{d,i) - f{d)\ < 2-\ 

When the conditions hold, we say f is represented by {mf,9f). 

Note that it is important to know the modulus of continuity to compute 
f{x) for any x B, since 9f only evaluates / on dyadic points. 

Complexity of Real Functions We now turn to complexity issues. The 
ordinary complexity classes such as P, NP, Z^, PSPACE for decision problems 
are defined in the standard way. 

Complexity of real functions is usually defined over compact domains. 
Without loss of generality, we consider functions over [0, 1]. Intuitively, a real 
function / : [0, 1] — >• R is (uniformly) P-computable (PSPACE-computable), 
if it is computable by an oracle Turing machine Afj that halts in polynomial- 
time (polynomial-space) for every i G N and every x £ dom(/). Formally, 
we use the following definitions: 
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Definition 2.8 ([18j). A real function f : [0,1]" R is in Pc[o,i] (i"esp. 
PSPACEc[o,i] J iff there exists a representation {mf,6f) of f such that 

• ruf is a polynomial function, and 

• for any d G (D n [0, 1])", e G D, and i £ N, 6f{d,i) is computable in 
time (resp. space) 0{{len{d) + i)^) for some constant k. 

More complexity classes will be defined in Section [7] in a similar way. 
Most common real functions reside in Pc[o,i]- absolute value, polynomi- 
als, binary max and min, exp, and sin are all in Pc[o,i]- It is shown that 
solutions of Lipschitz-continuous differential equations are computable in 
PSPACE(;[o,i] • In fact, it is shown to be PSPACE-complete in the following 
sense. 

Definition 2.9 (Hardness [H]). A real function / : D — )■ M is hard for 
complexity class C if every (discrete) problem A in C is polynomially re- 
ducible to f; that is, if there exist two polynomial-time computable functions 
g : {0, 1}* —7- © and h : {0, 1}* x D — t- {0, 1} and a polynomial function p, 
such that yw £ {0, l}*,Ve G B.- 

If |e - f{giw))\ < 2~P("^ then w£ A^ h{w, e) = 1. 

Proposition 2.10 (|17|). Let gf : [0, 1] x M — t- M 6e polynomial-time com- 
putable and consider the initial value problem 

f{0) = 0,^=g{tj{t)), te[o,i]. 

Then computing the solution / : [0, 1] — )• M is in PSPACE. Moreover, there 
exists g such that computing f is PSPfKQ.^- complete. 

3 Bounded Sentences in First- Order Theories with 
Computable Functions 

We consider first-order formulas with Type 2 computable functions inter- 
preted over the reals. We write J- to denote an arbitrary collection of sym- 
bols representing Type 2 computable functions over M" for various n. We 
always assume that J- contains at least the constant 0, unary negation, ad- 
dition, and the absolute value. (Constants are seen as constant functions.) 
Let Cjr be the signature (.F, >). formulas are always evaluated in the 
standard way over the corresponding structure Mj^ = (M, J-", >). 
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It is not hard to see that we only need to use atomic formulas of the 

form t{xi, Xn) > or t{xi, Xn) > 0, where t{xi, Xn) are built up 
from functions in J^. This follows from the fact that t{x) = can be written 
as -\t{x)\ > 0, t{x) < as -t{x) > 0, and t{x) < as -t{x) > 0. We 
can then take expressions s < t and s < t to abbreviate t — s > and 
t—s > 0, respectively. Moreover, when a formula is in negation normal form, 
the negations in front of atomic formulas can be eliminated by replacing 
> with ~t{x) > 0, and -^t{x) > with —t(x) > 0. In summary, 
to avoid extra preprocessing of formulas, we give an explicit definition of 
>C^-formulas as follows. 

Definition 3.1 (>C^-Formulas). Let T be a collection of Type 2 functions, 
which contains at least 0, unary negation -, addition +, and absolute value 
I • |. We define: 

t := x\ f{t{x)), where f E T, possibly constant; 
(f := t{x) > I t{x) >0|(^A(/?|(^V(^| | Vxjf^. 

In this setting -^ip is regarded as an inductively defined operation which re- 
places atomic formulas t > with —t > 0, atomic formulas t > with 
—t > 0, switches A and V, and switches V and 3. Implication ip\ — >■ (^2 is 
defined as -k/^i V 992. 

For notational convenience, from now on we assume that always con- 
tains all rational constants. 

Definition 3.2 (Bounded Quantifiers). We use the notation of bounded 
quantifiers, defined as 

3^'^''"^x.ip =df 3x.{u < X A X < V A if ), 
Vl"''']a;.</? =df Vx.((« < X Ax <v) (fi), 

where u and v denote Cjr terms whose variables only contain free variables 
in (f, excluding x. It is easy to check that 3^'^''"^x.ip -H- -N^'^^'^^x.^ip. 

We say a sentence is bounded if it only involves bounded quantifiers. 

Definition 3.3 (Bounded >C^-Sentences). A bounded >C^-sentence is of the 
form 

Q^'''^la;i---Q[r"'''"]x„.V(a;i,...,x„) 

where are bounded quantifiers, and i/j{xi, ...,Xn) is a quantifier-free 

Cjr-formula (the matrix). 
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Remark 3.4. Note that by the definition of bounded quantifier, in the bound 
[ui,vi] on the first quantifier, the terms ui and vi can only be built from 
constants in T since there is no other free variables in 

excluding xi. 

We sometimes write a bounded sentence as Q^'^'^x.'il^{x). 

Notation 3.5. We will often write a matrix ^{xi, ...,Xn) as 

ip[ti{x) > 0,...,tk{x) > 0;tk+i{x) > 0,...,tm{x) > 0] 

to emphasize the fact that ip{x) is a positive Boolean combination of the 
atomic formulas shown. 

We use the conventional notations for the alternation hierarchy. Namely, 
Tin (resp. n„) denotes the set of all £j--sentences in prenex form with n 
alternating quantifier blocks starting with 3 (resp. V). 

Since trigonometric functions allow us to encode natural numbers and 
consequently Diophantine equations, it is well-known that 

Proposition 3.6. //{+, x,sin} C , then it is undecidable whether an 
arbitrary Tii-sentence in Cjr is true. 

In what follows, we show that in contrast to negative results like this 
(which is further discussed in Section [8|), a (5-relaxed version of the decision 
problem for general £jr-sentences has much better computational properties. 

4 ^-Variants 

In this section we define (5-weakening and (5-strengthening of bounded Cjr- 
sentences, which explicitly introduce syntactic perturbations in a formula. 
They are used to formalize the notion of 5-relaxed decision problems for 
£jr-sentences. 

We will write a bound [n, v] as / for short. 

Definition 4.1 (5- Variants). Let 5 G U {0}, and ip a bounded Cj^- 
sentence of the form 

Qi'xi---Qi"Xn.tp[ti > 0;tj > 0], 
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where i G {l,...k} and j G {fc + The (^-strengthening ip'^^ of (p is 

defined to be the result of replacing each atomic formula ti > by ti > 5 and 
each atomic formula tj >0 by tj > 6, that is, 

Q{^xi---Q^^xn4[ti > S;tj > S], 

where i G {1,...A;} and j €z {k + Similarly, the 5-weakening (p^^ 

of ip is defined to be the result of replacing each atomic formula ti > Q by 
ti > —6 and each atomic formula tj >0 by tj > —5, that is, 

Q{'xi---Qi"XnMti > -^-^tj > -6]- 

Note that in the definition, the bounds on the quantifiers are not changed. 
In fact, we can talk about (5-variants of unbounded formulas as well, which 
will be mentioned in Section [8l Note also that p'^^ and are both equiv- 
alent to p, and that the notions of strengthening and weakening could have 
been given a uniform definition by allowing 6 to range over positive and neg- 
ative numbers. We find it a useful mnemonic, however, to have p^^ denote 
a slight strengthening of p (the modified atomic constraints make it slightly 
harder for p~^^ to be true), and to have denote a slight weakening. 

Proposition 4.2. Suppose 6, 6' G U {0} satisfy 6 > 5' . Then we have: 

1. p+^ p+^' -^p-^ p-^' p'^. 

2. (Duality) -^{p+^) o {-^p)'^ . 

This follows immediately from the definitions. 

We say that a sentence is 5-robust if its truth value remains invariant 
under 5- weakening. 

Definition 4.3 ((^-Robustness). Let 5 G Q"*" U {0} and p be a bounded Cj^- 
sentence. We say p is 5 -robust, if — )■ p. We say p is robust if it is 
6-robust for some 5 G Q^. 

More precisely, we can say that a formula p is robust under S -weakening 
if it has this property, and define the analogous notion of being robust under 
6 -strengthening. The two notions have similar properties; for simplicity, we 
will restrict attention to the first notion below. 

By Proposition 14.21 we always have p — t- p~^ , so p is (5-robust if and 
only if we have p <-)• p~^ ■ Since p~^ p is equivalent to ^p~^ V p, saying 
that p is robust is equivalent to saying that either p is true or p~^ is false. 
Intuitively, this means that either p is true, or "comfortably" false in the 
sense that no small perturbation makes it true. 
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Proposition 4.4. Let if be a bounded Cj^-sentence, and 5,5' G U {0}. 

1. If if is true, then it is 5-robust for any 5. 

2. Suppose 5 > 5' . If ip is 5-robust, then it is 5' -robust. 

Proof. By the observations above, the first is immediate, and the second 
follows from Proposition 14.21 □ 

Remark 4.5. Note that the negation of a robust sentence may be non-robust. 

Now we are ready to state our main results. 

5 The Main Theorem 

Theorem 5.1. There is an algorithm which, given any bounded Cj^- sentence 
if and 5 G Q^, correctly returns one of the following two answers: 

• 'True"; is true. 

• "(5-False"; ip+^ is false. 

Note that the two cases can overlap. If ip is true and 99 "'"'^ is false, then 
the algorithm is allowed to return either one. 

Corollary 5.2. There is an algorithm which, given any bounded (p and 
5 G correctly returns one of the following two answers: 

• "(5-True"; ip)~^ is true. 

• "False".- ip is false. 

Proof. Apply the previous algorithm to Proposition l4.2| we have -1(99)^^ o 

So if is True we can report that ip is False, and if -199 is 5-False 
we can report that ip is 5- True. □ 

Corollary 5.3 (Robustness implies decidability). There is an algorithm 
that, given 5 G and a bounded 5-robust (p, decides whether ip is true or 
false. 

Proof. Apply the previous algorithm to 99. By the definition of (5-robustness, 
if (/? is (5-True, then it is True. □ 

Corollary 5.4. Let L be a class of bounded Cj^- sentences. Suppose it is un- 
decidable whether an arbitrary sentence in L is true. Then it is undecidable, 
given any 5 G Q"*", whether an arbitrary bounded C- sentence is 5-robust. 
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Proof. Let ip be an arbitrary £jr-sentence from L. Suppose there exists an 
algorithm that decides whether is (5-robust. Then, we can first decide 
whether ip is (5-robust. If it is not, then following Proposition 14.41 (p has 
to be false. On the other hand, if it is, then following Corollary 15.31 it is 
decidable whether ip is true. Consequently combining the two algorithms 
we can decide whether ip is true. This contradicts the undecidability of 
sentences in L. □ 

This can be contrasted with the simple fact that if Mjr has a decidable 
theory, then it is decidable whether any bounded £jr-sentence is robust, 
since the condition in Definition 14.31 is just another bounded £^-sentence. 

In the next section we prove the main theorem, and determine the com- 
plexity of the algorithm in the following section. 



6 Proof of the Main Theorem 

We now prove the decidability of the ^-decision problems. First, any can 
be extended it as follows. 

Definition 6.1 (m- Extension). Let T he a collection of computable func- 
tions over reals. We define the m-extension of T , written as Tm, to be the 
closure of J- with the following functions: 

• Binary min and max: min(-, •), max(-, •); 

• Bounded min and max: 

min{t(x,y) : yi G [ui, ui], y„ G [un,Vn]}, 

max{t(f,y) : yi £ [ui, wi], y„ G [un,Vn]}, 
where Ui and Vi denote arbitrary Cj^^-terms that do not involve yi. 

It is a standard result in computable analysis that applying minimization 
and maximization over a bounded interval preserves computability. (This 
is studied in detail in Chapter 3 of p8].) Thus all functions in Tm are 
computable. We can write the bounded min and max as min^g£)(t(x, y)) 
and max^g£)(t(x, y)) for short, where D = [ui,vi] x ••• x For 
technical reasons that will become clear in Section [TJ we interpret [u, v] as 
[v, u] when v < u; one can rule out this interpretation by adding u < v as 
an explicit constraint in the formula. 

Now we define a notion that allows us to switch between strict and 
nonstrict inequalities in the 5-decision problem. 
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Definition 6.2 (Strictification). Suppose cp is the formula 

Q^x.ipih > 0,...,tk > 0;tk+i > 0,...,tm > 0]. 

We say (p is strict (resp. nonstrict), if m = k (resp. k = 0), i.e., all the 
inequalities occurring in are strict (resp. nonstrict). The strictification of 
</? is defined to he 

st{ip) : Q^x.i/j[ti > 0, tk > 0, tk+i > 0, tm>0], 

that is, the result of replacing all the nonstrict inequalities by strict ones. 
The destrictification of (p is 

de{ip) : Q^x.iPiti > 0,...,tk > 0,tk+i > 0,...,tm > 0], 
this is, the result of replacing all strict inequalities by nonstrict ones. 

Note that the bounds on the quantifiers are not changed in the definition. 
The following fact follows directly from the definition. 

Proposition 6.3. We have 

• st{ip) — >■ ip and ip — >■ de{ip). 

• (Duality) st{^ip) is equivalent to -^de{ip). 

Now we prove the key lemma. It establishes that any bounded Cj^- 
sentence can be expressed as an atomic formula in the extended signature 

Lemma 6.4. Let ip be a bounded Cj^-sentence. There is an Cj^^-term a{ip) 
that satisfies: 

• de{ip) -H- a{(p) > 0, and st{ip) -H- a{(p) > 0; 

• de{ip'^^) o a{ip) > 6, and st{ip^^) o a{(p) > 6. 
Proof. We define a inductively as: 

• For an atom t > or t > 0, a{ip) = t. 

• a{ip A tp) = imn{a{(p) , a{ip)) . 

• a{ipV Ip) = ma,x{a{ip),a{ip)). 

• a(3["'''la;.</j) = max^g[„^^](a((^)). 
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• a(V["'''l2;.99) = min3;e[„,„](a(v7)). 

The properties are then easily verified. As an example we show that de{(p) -f-)- 
> holds. Note that de{(p) only contains nonstrict inequalities. 

• For atomic formulas, t > o a{t) > 0. 

• a{ip A tp) > is defined as inm{a{(p) , a{ip)) > 0, which is equivalent 
to a{if) > A a{tp) > 0. By inductive hypothesis, this is equivalent to 
de{(p) A de{tp), which is just de{(pAip). The binary max case is similar. 

• a{3^'^''"^x.(p) > is defined as max^gj^^^j (a((/9)) > 0, which is equivalent 
to 3^'^''"^x.a{ip) > 0. (If the max of a{ip) is bigger or equal than zero, 
then there exists a G [u, v] such that a{(p{a)) > 0; and vice versa.) By 
inductive hypothesis, a{ip) > is equivalent to 3^'^''"^x.ip. The bounded 
min case is similar. 

□ 

Example 6.5. Suppose 

if : V[°'^la;i3[°'^ilx2.(e^i > A X2 > 0). 

Then 

a{(p) = min ( max (min(e^^ , X2))). 

xielo,!] X2e[0,xi] 

Now we are ready to establish the main theorem. The idea is that for 
any formula ip, the strictification of if is equivalent to the formula a{ip) > 0. 
Whether this holds cannot, in general, be determined algorithmically. But 
given a small 6, we can make a choice between the overlapping alternatives 
a{(p) > and a{ip) < 6, and this is enough to solve the relaxed decision 
problem. 

Proof of Theorem 15. il Let ip be an arbitrary £jr-sentence of the form 
V : Q^'^^^^xi • • • Qt'^-^xn. ^/J[ti > 0; tj > 0], 

where i ranges in from 1 to k, and j from k + 1 to m. 

Following Lemma 16.41 we can find an £j-^-term a{(p), which satisfies: 

• st{ip) is equivalent to a{ip) > 0, and 

• {de{ip)^^) is equivalent to a{(f) > 6. 
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Since 99 is a closed sentence with no free variables, a{(p) is a term whose 
variables are all bounded by the min and max operators. Thus, a{ip) is a 
computable constant. Let M be the machine that computes a{ip). We have 

E N, \M{{)-a{ip)\ < 2-\ 

where M{i) is a dyadic rational number, we write this number as [a((^)]j. 

Since 5 is a given positive rational number, it is easy to find a dyadic ra- 
tional number that approximates 5 to an arbitrary precision. This is needed 
for the technical reason that we want 5 to have a finite binary representation. 
We now pick 5' to be a dyadic number satisfying 

Next, let A: S N satisfy < (5'/4. This number is then used to query 
the machine M as the precision requirement. Namely, we have 

We now compare [«((/?)] ^ with 6' /2. Note that both numbers are dyadic 
rationals with finite length, and this inequality can be effectively tested. To 
emphasize, we label this test: 

r«Mifc>f- (1) 

The result of this test generates two cases, as follows. 

• Suppose (dJ is true. Then we know that 

. . ^ . 6' 6' 6' 6' 

a{ip) > \a{ip)\k - J>^-J = J 

17 7 
> -(-5) = —5. 
4^8 ' 32 

Consequently, a{ip) > 0. Thus, in this case, we know st{ip) is true. 
Following Proposition 16.31 we know ip is true, and return True. 

• Suppose ([1]) is false. Then we know that 

, , r / NT ^' 5' ^' 3 
a{ip) < \aiip)]k + J < ^ + 7 = 

3.9^, 27^ 
< -(-6) = —5. 
4^8 ^ 32 

Consequently, a{ip) < 6. Thus, in this case, de{ip'^^) is false. Following 
Proposition 16.31 we know ip+^ is false, and return 5- False. 
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In all, we have described an algorithm for deciding, given any bounded Lj^- 
sentence ip and (5 G Q, whether ip is true, or the ^-strengthening of ip is 
false. □ 



7 Complexity and Lower Bounds 

In this section we consider the complexity of the (5-decision problem for 
signatures of interest. In the proof of the main theorem, we have established 
a reduction from the (5-decision problems of Lj: to computing the value of 
i2jr^-terms with alternations of min and max. The complexity of computing 
such terms can be exactly characterized by the min-max hierarchy over 
computable functions, as defined in [18] . 

First, we need the definition of (;[o,i]-functions. 

Definition 7.1 (ilBj). For k >0, we say a real function / : [0, 1] — t- M is in 
^k,c[o,i] (resp. ^w,c[o,i]) if there exists a representation {mf,9f) of f , such 
that 

1. The modulus function mj : N — t- N is a polynomial, and 

2. for all d e Dn [0, 1] and all i G N, \Of{d,n) - f{d)\ < and the set 
Aqj = {(d, e,0*) : e < 6f{d,i)} is in (resp. ^\[^). (t)* denotes the 
string of i zeros.) 

Remark 7.2. Note that using membership queries to A^, we can easily 
(in polynomial-time) determine the value ofip{d,i). Thus by replacing the 
third condition with P or PSPACE, we obtain the definition of Pc[o,i] ^''^^ 
PSPACEc[o,i]. It is also clear that I^o,C[o,i] = no,c[o,i] = Pc[o,i]- 

The key result as shown by Ko [18] is that, if f{x,y) is in Pc[o,i]i then 
maxjjgjo,!] f{x,y) is in NPc[o,i]. In general, Ko proved that: 

Proposition 7.3 ([IB]). Let f : [0,1]" R be a real function in Pc[o,i]- 
Define g : [0, l]""" -^R as 

g{xo) = max min ••• opt /(xq, f i, x^) 

xie[o,iri S2e[o,i]'"2 Xke[o,irk 

where opt is min if k is even and max if k is odd, and X^^Lo"*-* — ^- 
then have g € 5Ik^c[o,i]- 

Following the definition of c[o,i]"Classes, it is straightforward to obtain 
the decision version of this result, and also to relativize to complexity classes 
other than Pc[o,i]- 
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Lemma 7.4. Suppose f : [0, 1]" R is in complexity class C with a poly- 
nomial modulus function. Define g : [0, 1]™"° — t- M as 

g{xo) = max min ••• opt f{xo,xi,...,Xk) 

xie[o,iri X2e[0,i]'"2 ^^,g[o,i]mfc 

where opt is min if k is even and min if k is odd, and X^^Lq "^i = T/ien 
there exists a representation of g, {mg,9g), such that the following problem 
is in (T.^)^: given any d, e G B and i G N, decide if9g{d,i) > e. 

Definition 7.5. Let ip be of the form 

We define </'[o,i] io be 

¥^[0,1] = • • • Q^^''^^Xnip[xi/ {ui + {vi - Ui)xi)] . 

It is clear that ip and >P[q^i] are equivalent and the transformation can be 
done in polynomial-time. Now we are ready to state the complexity results 
for the (5-decision problems. 

Theorem 7.6. Let J- be a class of computable functions. Let S be a class of 
Cjr- sentences, such that for any in S, the terms in V3[o,i] o'^e computable in 
complexity class C where Pc[o,i] ^ C C PSPACEc[o,i] • Then, for any 5 G 
the 5-decision problem for bounded Tin-sentences in S is in (Z^)*^. 

Proof. Consider any S^-sentence ip £ S. Write iP[o,i] as 

3m-^s^^m-^x2 ■ ■ ■ Qt^'^'^'x, ^(xi, X,.), 

where Qk is 3 if A; is odd and V otherwise. 

Note that since Pc[o,i] ^ C C PSPACEc[o^i] , C is closed under polynomial- 
time reduction, and every function in C has a polynomial modulus function 
over [0, 1]. 

Following the algorithm in the proof of Theorem 15. H we compute the 
£jr^-term a{(p[Q^i]), which is of the form 

"^(v^foil)- loaax min ••• opt afV") 

where opt is max if k is odd and min otherwise. This step uses linear time 
and q(99[o,i]) is linear in the size of ip. 
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Following the assumptions on S, all terms in ip are computable in C. 
It follows that a{^l^) is computable in C, which can be shown inductively 
as follows. For atomic formulas, a{ip) is a term computable in C. If ip = 
01 A 02 (resp. 01 V 02) then by definition a{^p) = min(a(0i), a(02)) (resp. 
max(a(0i), a(02))), where a(0i) and a(02) are C-computable by inductive 
hypothesis. Since the binary min(-, •) and max(-, •) are both computable in 
polynomial-time and C is closed under polynomial-time reduction, we have 
that a('0) is C-computable. 

Let a((/9[o_i]) be represented by {rnai^^),9a{ip))- Now, since a{ip) is C- 
computable (and has a polynomial modulus function), following Lemma[731 
we know that given any e E B and z S N, deciding 0q,(<^)(«) > e is in 

Z^*^. (Note that a((/9[o_i]) is a 0-ary function). In the proof of Theorem 15. 11 
we checked the condition a{ip){k) > 5'/2 in (1). Here, both 5' and k are 
computed in linear time. Thus, the condition can be checked in (Z^)*^. 

In all, we described a polynomial-time reduction from the 5-decision 
problem of a Sfc-sentence tp in £jr^ to a (51^)*^ problem. Thus, the 5-decision 
problem resides in (Z^)*^. □ 

Remark 7.7. We used the assumption that all the terms uniformly re- 
side in some complexity class C. It is not enough to assume only that the 
signature T is in C, since the formulas can contain an arbitrary number of 
function composition. The complexity of evaluating composition of functions 
can easily be exponential in the number of iterative composition operations 
(with linear functions) . This would trivialize the problem. Under the current 
assumption, each Cjr-term that occur in S is encoded as a function in C and 
such composition is not allowed. Thus the complexity is measured in terms 
of the length of the Boolean combinations of the Cj^-terms. 

As corollaries, we now prove completeness results for signatures of inter- 
est. 

Corollary 7.8. Let T be a set of P -computable functions (which, for in- 
stance, includes exp and sin). The 6 -decision problem bounded Tin-sentences 
in Cjr is T.^ -complete. 

Proof. Following the above theorem deciding a bounded S„-sentence is in 
(51^) , which is just T.^. 

Hardness can be shown by encoding quantified Boolean satisfiability. We 
need to be careful that positive atoms are used to express negations. Let 9 
be a Boolean formula in CNF, whose propositional variables are pi, .-.^Pm- 
Substitute by x > and -^pi by —Xi > 1, and add the clause (xj > 
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V —Xi > 1) to the original formula as a conjunction. Then substitute 
QPi by Qt^^'^^Xj where Q is either 3 or V. It is easy to see that new the 
formula is robust for any 6 < 1/2, and equivalent with the original Boolean 
formula. □ 

Corollary 7.9. Suppose J- consists of Lips chitz- continuous ODEs over com- 
pact domains. The 5-decision problem for bounded Cj^-sentences is PSPACE- 
complete. 

Proof. Following Proposition 11, the problem is in PSPACE since |\|pPSPACE _ 
PSPACE [23]. Thus ah the S„-classes are hfted to PSPACE. It is PSPACE- 
hard since it subsumes solving any single ODE, which is itself a PSPACE- 
complete problem. □ 



8 Comparison with Negative Results 

We can contrast the above results with the following negative results, to 
show that both the boundedness and 5-relaxation are necessary for decid- 
ability. We allow the signature Cj: to be arbitrary Type 2 computable 
functions, then without either boundedness or robustness, £jr-sentences are 
undecidable. 

Proposition 8.1. There exists J- such that it is undecidable whether an 
arbitrary quantifier- free sentence (and thus trivially hounded) in Cjr is true. 

Proof. Define /i„ : N — )■ N as = 1 if the n-th Turing machine M„ halts 

in t steps, and otherwise. Define 

k 
i=l 

Note that 7^ is convergent and can be seen as a name of a real number a„, 
and On = iff the machine M„ halts. Thus, if {oj : z G N} C J^, there does 
not exist an algorithm that can decide whether an arbitrary quantifier-free 
i2j--sentence of the form Oj = is true. □ 

The proof of this proposition involves adding countably many constant 
symbols to the language, one for each Oj. Alternatively, it is not hard to 
define a single computable function g : Q ^ M such that for each i G N, 
g{i) = Oj, by interpolating outputs linearly for inputs between integer values. 
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Proposition 8.2. There exists J- such that it is undecidable whether an 
arbitrary 6-robust quantifier-free Cj^-sentence is true. 

Proof. Let the set {aj : i G N} be defined as in the previous proof. Then the 
function /„( which is computable since is computable, has the 

property that fn{x) = iff the n-th Turing machine halts, and 3x.fn{x) = r 
for any r G M. This existential sentence is consequently (5-robust for any 5. 
Thus, there does not exist an algorithm that can decide whether an arbitrary 
5-robust bounded Si-sentence of the form = r (r 7^ 0) is true. Note 

that if we bound the quantifier Bx, this proof does not go through. Because 
fixing any bound x <u and 5 G Q"*", there exists an at such that Uk • u < S, 
which makes the formula not (5-robust. Such an Ok corresponds to a machine 
k which may halt after i steps, as long as 2~^u < 5. □ 

Again it is not hard to replace fn{x) by a single function h{y,x). 

Consequently, both boundedness and robustness are necessary for decid- 
ability of i2j--sentences, if we allow to be arbitrary Type 2 computable 
functions. Moreover, we can ask the following questions. Given a restrict 
signature, say P-computable functions including x and sin, is it the case that 
without either boundedness or robustness, simple £jr-sentences are undecid- 
able? Answering this should require explicit construction which is beyond 
the scope of this paper. We list them as questions here. 

Question 8.3. Suppose J- contains {-|-, x,sin} or a reasonable extension 
of it with natural P-computable functions. Is it undecidable whether an 
unbounded 5-robust Y^i-sentence in Cjr is true? Is it undecidable whether a 
bounded T,i-sentence is true? 

It seems plausible that both questions can be answered affirmatively. 
For instance in [13], it is proved that there exists a (5-robust encoding of 
Turing machines using the signature only. In [20], a recent improvement on 
Richardson's theorem, it is proved that there exists a function / obtainable 
from the signature such that it is undecidable whether it has a zero. 

9 Discussion 
9.1 Applications 

Our focus in the paper is to prove theoretical results to show the possi- 
bility of using numerical algorithms in solving hard decision problems over 
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reals. In practice, our framework allows the use of various practical nu- 
merical techniques. What we have shown provides a framework of the gen- 
eral evaluation of numerical methods in the context of decision problems. 
Namely, to justify the use of a particular numerical method, we only need 
to prove that it can solve the (5-decision problem correctly, and thus suit- 
able for the corresponding applications. If this is the case, we call such 
a method "(5-complete" . Numerical methods that have the ^-completeness 
guarantees should be regarded also suitable for correctness-critical problems 
such as formal verification and automated theorem proving, as shown in our 
work \12\ 113). As an on- going project, we are using our theory to guide the 
implementation of a 5-complete solver dReal, and have observed promising 
results in applications. 

9.2 Extensions 

We have studied the (5-decision problem for bounded first-order sentences 
over the reals with computable functions. In fact, the theory of computable 
functions can be developed over any domain whose elements can be encoded 
as infinite strings over some finite alphabet. To show decidability of the 5- 
decision problems, we exploit the compactness of the domain of the variables, 
and continuity of the computable functions over the domain. Thus, the same 
line of reasoning can be applied to general compact metric spaces other than 
the bounded real intervals, such as functions and sets. Such extensions can 
be useful, for instance, for showing decidability results for ((5-versions of) 
control problems of dynamical systems, which can be expressed as first- 
order formulas in the corresponding domains. 

10 Conclusion and Future Work 

In this paper we defined a relaxed notion of decision problems for first-order 
sentences over reals. We allow a decision procedure to return answers that 
can have one-sided, bounded, numerical error. With this slight relaxation, 
which can be well-justified in practice, bounded sentences in many impor- 
tant but undecidable theories become decidable, with reasonable complex- 
ity. For instance, solving bounded existential sentences with exponential 
and sine functions become theoretically no harder than solving SAT prob- 
lems, and solving the quantified sentences with Lipschitz-continuous ODEs 
are no harder than solving quantified Boolean formulas. We regard the im- 
plications of these theoretical results to be profound. The framework we 
proposed can also be directly used as a framework for guiding the use of 
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numerical methods in decision solvers. In future work, it would be very 
interesting to see how this framework can be used in developing efficient 
SMT/SAT solvers and theorem provers. Also, the theoretical relation to 
approximations in complexity theory is worth investigating. 
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